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In this article I present a protocol for quantum cryptography which is secure against attacks 
on individual signals. It is based on the Bennett-Brassard protocol of 1984 (BB84). The security 
proof is complete as far as the use of single photons as signal states is concerned. Emphasis is given 
to the practicability of the resulting protocol. For each run of the quantum key distribution the 
security statement gives the probability of a successful key generation and the probability for an 
eavesdropper's knowledge, measured as change in Shannon entropy, to be below a specified maximal 
value. 
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5:^ ■ I. INTRODUCTION 

■ 

^_ 

Quantum Cryptography is a technique for generating and distributing cryptographic keys in which the secrecy of 
the keys is guaranteed by quantum mechanics. The first such scheme was proposed by Bennett and Brassard in 1984 
(BB84 protocol) Sender and receiver (conventionally called Alice and Bob) use a quantum channel, which is 

■ governed by the laws of quantum mechanics, and a classical channel which is postulated to have the property that 
^ ■ any classical message sent will be faithfully received. The classical channel will also transmit faithfully a copy of the 

00 . message to any eavesdropper. Eve. Along the quantum channel a sequence of signals is sent chosen at random from 

■ two pairs of orthogonal quantum states. Each such pair spans the same Hilbert space. For example, the signals can 
be realized as polarized photons: one pair uses horizontal and vertical linear polarization (+) while the other uses 
linear polarization rotated by 45 degrees (x). Bob at random one of two measurements each performing projection 
measurements on the basis + or x . The sifted key consists of the subset of signals where the bases of signal and 

' measurement coincide leading to deterministic results. This subset can be found by exchange of classical information 
without revealing the signals themselves. Any attempt of an eavesdropper to obtain information about the signals 
leads to a non-zero expected error rate in the sifted key and makes it likely that Alice and Bob can detect the 
presence of the eavesdropper by comparing a subset of the sifted key over the public channel. If Alice and Bob find 
no errors they conclude (within the statistical bounds of error detection) that no eavesdropper was active. They then 

■ translate the sifted key into a sequence of zeros and ones which can be used, for example, as a one-time pad in secure 
^ ' communication. 

Several quantum cryptography experiments have been performed. In the experimental set-up noise is always present 
^ leading to a bit error rate of, typically, 1 to 5 percent errors in the sifted key |^-|^]. Alice and Bob can not even in 
principle distinguish between a noisy quantum channel and the signature of an eavesdropper activity. The protocol of 
the key distribution has therefore to be amended by two steps. The first is the reconciliation (or error correction) step 
leading to a key shared by Alice and Bob. The second step deals with the situation that the eavesdropper now has to 
be assumed to be in the possession of at least some knowledge about the reconciled string. For example, if one collects 
some parity bits of randomly chosen subsets of the reconciled string as a new key then the Shannon information of 
an eavesdropper on that new, shorter key can be brought arbitrarily close to zero by control of the number of parity 
bits contributing towards it. This technique is the generalized privacy amplification procedure by Bennett, Brassard, 
Crepeau, and Maurer [Q. 

The final measure of knowledge about the key used in this article is that of change of Shannon entropy. If we assign 
to each potential key x an a-priori probability p{x) then the Shannon entropy of this distribution is defined as 

S[p{x)]^~Y^p{x)\ogp{x) . (1) 

X 

Note that all logarithms in this article refer to basis 2. The knowledge Eve obtains on the key may be denoted by 
k and leads to an a-posteriori probability distribution p[x\k). The difference between the Shannon entropy of the 
a-priori and the a-posteriori probability distribution is a good measure of Eve's knowledge: 

^s{k)^S[p{x)\-S\p{x\k)] . (2) 
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For short, we will call As{k) the entropy change. We recover the Shannon information as the expected value of that 
difference as 



where Eve's knowledge k occurs with probability p{k). If we are able to give a bound on As{k) for a specific run of the 
quantum key distribution experiment then this is a stronger statement than a bound a the Shannon information: we 
guarantee not only security on average but make a statement on a specific key, as required for secure communication. 

The challenge for the theory of quantum cryptography is to provide a statement like the following one: If one 
finds e errors in a sifted key of length rigif then, after error correction under an exchange of iVj-cc bits of redundant 
information, a new key of length ngn can be distilled on which, with probability 1 — a, a potential eavesdropper 
achieves an entropy change of less than Atoi- Here Atoi has to be chosen in view of the application for which the 
secret key is used for. It is not necessary that each realization of a sifted key leads to a secret key; the realization 
may be rejected with some probability (3. In that case Alice and Bob abort the attempt and start anew. 

The final goal is to provide the security statement taking into account the real experimental situation. For example, 
no real channel exist which fulfill the axiom of faithfulness. There is the danger that an eavesdropper can separate 
Alice and Bob and replace the public channel by two channels: one from Alice to Eve and another one from Eve to 
Bob. In this separate world scenario Eve could learn to know the full key without causing errors. She could establish 
different keys with Alice and Bob and then transfer effectively the messages from Alice to Bob. This problem can be 
overcome by authentication . This technique makes it possible for a receiver of a message to verify that the message 
was indeed send by the presumed sender. It requires that sender and receiver share some secret knowledge beforehand. 
It should be noted that it is not necessary to authenticate all individual messages sent along the public channel. It is 
sufficient to authenticate some essential steps, including the final key, as indicated below. In the presented protocol, 
successful authentication verifies at the same time that no errors remained after the key reconciliation. The need 
to share a secret key beforehand to accomplish authentication reduces this scheme from a quantum key distribution 
system to a quantum key growing system: from a short secret key we grow a longer secret key. On the other hand, 
since one needs to share a secret key beforehand anyway, one can use part of it to control the flow of side-information 
to Eve during the stage of key reconciliation in a new way. With side-information we mean any classical information 
about the reconciled key leaking to the eavesdropper during the reconciliation. 

Another problem is that in a real application we can not effectively create single photon states. Recent developments 
by Law and Kimble |^ promise such sources, but present day experiments use dim coherent states, that is coherent 
pulses with an expected photon number of typically 1/10 per signal. The component of the signal containing two or 
more photon states, however, poses problems. It is known that an eavesdropper can, by the use of a quantum non- 
demolition measurement of the total photon number and splitting of signals, learn with certainty all signals containing 
more than one photon without causing any errors in the sifted key. If Eve can get hold of an ideal quantum channel 
this will lead to the existence of a maximum value of loss in the channel which can be tolerated |P,pO[| . It is not known 
at present whether this QND attack, possibly combined with attacks on the remaining single photons, is the optimal 
attack but it is certainly pretty strong. 

The eavesdropper is restricted in her power to interfere with the quantum signals only by quantum mechanics. In 
the most general scenario, she can entangle the signals with a probe of arbitrary dimensions, wait until all classical 
information is transmitted over the public channel, and then make a measurement on the auxiliary system to extract 
as much information as possible about the key. Many papers, so far, deal only with single photon signals. At present 
there exists an important claim of a security proof in this scenario by Mayers |jll|. However, the protocol proposed 
there is, up to now, far less efficient than the here proposed one. Other security proofs extend to a fairly wide class 
of eavesdropping attacks, the coherent attacks |T2[ . 

In this paper I will give a solution to a restricted problem. The restriction consists of four points: 

• The eavesdropper attacks each signal individually, no coherent or collective attacks take place. 

• The signal states consist, indeed, of two pairs of orthogonal single photon states so that two states drawn from 
different pairs have overlap probability 1/2. 

• Bob uses detectors of identical detection efficiencies. 

• The initial key shared by Alice and Bob is secret, that is the eavesdropper has negligible information about it. 
Using the part of the key grown in a previous quantum key growing session is assumed to be safe in this sense. 

Within these assumptions I give a procedure that leads with some a-priori probability /3 to a key shared by Alice and 
Bob. If successful, the key is secure in the sense that with probability (1 — a) any potential eavesdropper achieved an 
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entropy change less than ^^toi- In contrast to all other work on this subject, this procedure takes into account that 
the eavesdropper does not necessarily transmit single photons to the receiver; she might use multi-photon signals to 
manipulate Bob's detectors. The procedure presented here might not be optimal, but it is certifiable safe within the 
four restrictions mentioned before. 

It should be pointed out that coherent eavesdropping attacks are at present beyond our experimental capability. 
Alice and Bob can increase the difficulty of the task of coherent or collective eavesdropping attacks by using random 
timing for their signals (although here one has to be weary about the error rate of the key) or by delaying their 
classical communication thereby forcing Eve to store her auxiliary probe system coherently for longer time. There is 
an important difference between the threat of growing computer power against classical encryption techniques and 
the growing power of experimental skills in the attack on quantum key distribution: while it is possible to decode 
today's message with tomorrow's computer in classical cryptography, you can not use tomorrow's experimental skills 
in eavesdropping on a photon sent and detected today. It is seems therefore perfectly legal to put some technological 
restrictions on the eavesdropper. This might be, for example, the restriction to attacks on individual system, or even 
the restriction to un-delayed measurements. For the use of dim coherent states one might be tempted to disallow 
Eve to use perfect quantum channels and to give her a minimum amount of damping of her quantum channel. The 
ultimate goal, however, should be to be able to cope without those restrictions. 

The structure of the paper is as follows. In section || I present the complete protocol on which the security analysis 
is based. Then, in section III I discuss in more detail the various elements contributing to the protocol. The heart 
of the security analysis is presented in section IV before I summarize in section ^ the efficiency and security of the 
protocol. 



II. HOW TO DO QUANTUM KEY GROWING 



The protocol presented here is a suitable combination of the Bennett-Brassard protocol, reconciliation techniques 
and authentication methods. I make use of the fact that Alice and Bob have to share some secret key beforehand. 
Instead of seeing that as a draw-back, I make use of it to simplify the control of the side-information flow during 
the classical data exchange. Side-information might leak to Eve in the form of parity bits, exchanged between Alice 
and Bob during reconciliation, or in the form of knowledge that a specific bit was received correctly or incorrectly by 
Bob. The side-information could be taken care of this during the privacy amplification step using the results of [[l3[ . 
Here I present for clarity a new method to avoid any such side-information which correlates Eve's information about 
different bits (as parity bits do which are typically used in reconciliation) by using secret bits to encode some of the 
classical communication. 

The notation of the variables is guided by the idea that Ux denotes numbers of bits, especially key length at various 
stage, Nx denotes numbers of secure bits used in different steps of the protocol, (3i denote probabilities of failing to 
establish a shared key, Ui denote failure probabilities critical to the safety of an established key, while 7 denotes the 
probability that Alice and Bob, unknown to themselves, do not even share a key. Quantities x or {x) denote expected 
values of the quantity x. 

The protocol steps and their achievements are: 

1. Alice sends a sufficient number of signals to Bob to generate a sifted key of length ngu. 

2. Bob notifies Alice in which time slot he received a signal. 

3. Alice and Bob make a "time stamp" allowing them to make sure that the previous step has been completed 
before they begin the next step. This can be done, for example, by taking the time of synchronized clocks after 
step 2 and to include this time into the authentication procedure. 

4. Alice sends the bases used for the signals marked in the second step to Bob. 

5. Bob compares this information with his measurements and announces to Alice the elements of the generalized 
sifted key of length rigif . The generalized sifted key is formed by two groups of signals. The first is the sifted 
key of the BB84 protocol formed by all those signals which Bob can unambiguously interpret as a deterministic 
measurement result of a single photon signal state. The second group consists of those signals which are 
ambiguous as they can not be thought of as triggered by single photon signals. If two of Bob detectors (for 
example monitoring orthogonal modes) are triggered, then this is an example of an ambiguous signal. The 
number of these ambiguous signals is denoted hy ud- 

The announcement of this step has to be included into the authentication. 
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6. Reconciliation: Alice sends, in total, iVj-ec encoded parity-check bits over the classical channel to Bob as a key 
reconciliation. Bob uses these bits to correct or to discard the errors. During this step he will learn the actual 
number of errors ricrr- The probability that an error remains in the sifted key is given by Depending on the 
reconciliation scheme. Eve learns nothing in this step, or knows the position of the errors, or knows that Bob 
received all the remaining bits correctly. 

7. From the observed number of errors rierr and of ambiguous non- vacuum results no Bob can conclude, using 

a theorem by Hoeffding, that the expected disturbance measure e = n^n+wnno with probability 1 — ai, 

below a suitable chosen upper bound Cmax- With probability 1 — /32 they find a value for ai which allows them 
to continue this protocol successfully. Here wd is a weight factor fixed later on. 

8. Given the upper bound on the disturbance rate emax: Alice and Bob shorten the key by a fraction r during privacy 
amplification such that the Shannon information on that final key is below /. The shortening is accomplished 
using a hash function p9[ | chosen at random. To make a statement about the entropy change As{k) Eve achieved 
for this particular transmission they observe that this change is with probability 1 — a2 less than Atoi- The 
probability ck2 can be estimated by a2 < a77- 

9. In the last step Alice chooses at random a suitable hash function which she transmits encrypted to Bob using 
A^aut/2 secret bits. Then she hashes with that fmiction her new key, the time from step 3, and the string of 
bases from step 5 into a short sequence, called the authentication tag, The tag is sent to Bob who compares it 
with the hashed version of his key. If no error was left after the error correction the tags coincide. This step is 
repeated with the roles of Alice and Bob interchanged. If Bob detects an error rate too high to allow to proceed 
with the protocol, he does not forward the correct authentication to Alice. The probability Eve could have 
guessed the secret bits used by Alice or by Bob to encode their hashed message is given by as . The probability 
that a discrepancy between the two versions of the key remains undetected is denoted by 7. 

The probability of detected failure is f3 with P < (3i + P2 and this failure does not compromise the security. In the 
case of success Alice and Bob can now say that, at worst, with a probability of undetected failure (failure of security) 
of a (with a < ai + a2 + 03) the eavesdropper can achieve an entropy change for the final key which is bigger than 
Atoi- The remaining probability 7 describes the probability that Alice and Bob do not detect that they do not even 
share a key. 

Note that the final authentication is made symmetric so that no exchange of information over the success of that 
step is necessary. Otherwise a party not comparing the authentication tags could regard the key as safe in a separate- 



world scenario. More explanation about the authentication procedure can be found in section [HE. The classical 



information becoming available to Eve during the creation of the sifted key will be taken care of in the calculations 



of section [V 



The public channel is now used for the following tasks: 

• creation of the sifted key, where Eve learns which signals reached Bob and from which signal set each signal was 
chosen from, 

• transmission of encrypted parity check bits, on which Eve learns nothing, 

• for bi-directional reconciliation methods: feedback concerning the success of parity bit comparisons (see following 
section), 

• for reconciliation methods which discard errors: the location of bits discarded from the key, 

• announcement of the hash function chosen in this particular realization, 

• transmission of the encrypted hash function for authentication and of the unencrypted authentication tags. 

The main subject of this paper is to give the fraction r by which the key has to be shortened to match the security 
target as a function of the upper bound on the disturbance emax- The estimation has to take care of all information 
available to Eve by a combination of measurements on the quantum channel and classical information overheard 
on the public channel. This classical information depends on the reconciliation procedure used. The nature of this 
information might allow Eve to separate the signals into subsets of signals, for example those being formed by the 
signals which are correctly (incorrectly) received by Bob, and to treat them differently. 

The knowledge of the specific hash function is of no use to Eve in construction of her measurement on the signals. 
This is a result of the assumption that Eve attacks each signal individually and that the knowledge of the hash 
functions tells Eve only whether a specific bit will count towards the parity bit of a signal subset or not. She only will 
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learn how important each individual bit is to her. If the bit is not used then it is too late to change the interaction 
with that bit to avoid unnecessary errors, since the damage by interaction has been done long before. If it is used, 
then Eve intends to get the best possible knowledge about it anyway. This situation might be different for scenarios 
which allow coherent attacks. 



III. ELEMENTS OF THE QUANTUM KEY GROWING PROTOCOL 



In this section I explain in more detail the steps of the quantum key growing protocol. Special attention is given to 
the security failure probabilities ai, limiting the security confidence of an established shared key, and to the failure 
probabilities Pi, limiting the capability to establish a shared key. 



A. Generation of the generalized sifted key 



Elements of the generalized sifted key are signals which either can be unambiguously interpreted as being determin- 
isticly detected, given the knowledge of the polarization basis, or which trigger more than one detector. We think of 
detection set-ups where detectors monitor one relevant mode each. Due to loss it is possible to find no photon in any 
mode. Since Eve might use multi-photon signals we may find photons in different monitored modes simultaneously, 
leading to ambiguous signals since more than one detector gives a click. Detection of se veral photons in one mode, 
however, is deemed to be an unambiguous result. (See further discussion in section IVB.) In practice we will not be 
able to distinguish between one or several photons triggering the detector. The length of the sifted key accumulated 
in that way is kept fix to be of length rigif . 



B. Reconciliation 



For the reconciliation we have to distinguish two main classes of procedures: one class corrects the errors using 
redundant information and the other class discards errors by locating error-free subsections of the sifted key. The class 
of error-correcting reconciliation can be divided in two further subclasses: one subclass uses only uni-directional infor- 
mation flow from Alice to Bob while the second subclass uses an interactive protocol with bi-directional information 
flow. 

The difference between the three approaches with respect to our protocol shows up in the number of secret bits they 
need to reconcile the string, the length of the reconciled string, and the probability of success of reconciliation. For 
experimental realization one should think as well of the practical implementation. For example, interactive protocols 
are very efficient to implement |T^. To illustrate the difference I give examples for the error correction protocols. 

The benchmark for efficiency of error correction is the Shannon limit. It gives the minimum number of bits which 
have to be revealed about the correct version of a key to reconcile a version which is subjected to an error rate e. 
This limit is achieved for large keys and the error correction probability approaches then unity. The Shannon limit is 
given in terms of the amount of Shannon information Is{e) contained in the version of the key affected by the error 
rate e. For a binary channel, as relevant in our case, this is given by 

/s(e) = 1 + e log e + (1 - e) log(l - e) . (4) 

The minimum number of bits needed, on average, to correct a key of length n affected by the error rate e is then 
given by 

nmin = n {1- /s(e)} . (5) 
As mentioned before, perfect error correction is achievable only for n — > cx). 



1. Linear Codes for error correction. 



Linear codes are a well-established technique which can be viewed in a standard-approach as attaching to each 
k-hit signal a number of {n ~ k) bits of linearly independent parity-check bits making it in total a n-bit signal. The 
receiver gets a noisy version of this n-bit signal and can now in a well-defined procedure find the most-likely A;-bit 
signal. Linear codes which will safely return the correct fc-bit signal if up to / of the n bits were flipped by the noisy 



5 



channel are denoted by [n, k, d] codes (with d = 2/ + 1). If the signal is affected by more errors then these will be 
corrected with less than unit probability. 

This technique can be used for error correction. Alice and Bob partition their sifted key into blocks of size k. For 
each block Alice computes the extra n — k parity bits, encodes them with secret bits and sends them via the classical 
channel to Bob. Bob then corrects his block according to the standard error correction technique. This procedure 
could be improved, since the [n, fc, d] codes are designed to cope with the situation that even the parity bits might be 
affected by noise. One can partly take advantage of the situation that these bits are transmitted correctly. However, 
non-optimal performance is not a security hazard. 

The search for an optimal linear code is beyond the scope of this paper. To illustrate the problem I present as 
specific example the code [512,422,21]. It uses 90 redundant parity bits to protect a block of 422 bits against 10 
errors. So how does this linear code perform if we use it to reconcile a string of — 10128 bits which are affected 
by an error rate of 1%? It can be shown that this string will be reconciled with a probability of (1 — /3i) = 0.908 at 
an expense of iVrcc — 2160 secret bits. The practical implementation of a code as long as this one is, however, rather 
problematic from the point of view of computational resources. In comparison, in the Shannon limit we need to use 
819 bits for this task. 



2. Interactive error correction 

An interactive error correction code was presented by Brassard and Salvail in |l^ ] . This code is reported to correct 
a key with an error rate of 1% and length risu = 10000 at an average expense of TVrcc — 933 bits. No numbers for /3i 
are given, but in several tries no remaining error was found. This protocol operates acceptable close to the Shannon 
limit which tells us that we need at least 808 bits to correct the key. 



3. Situation after reconciliation 

After reconciliation Alice and Bob share with probability (1 — the same key. The eavesdropper gathered some 
information from measurements on the quantum channel. The information she gained from listening to the public 
channel puts her now into different positions depending on the reconciliation protocol. In case errors are discarded, she 
knows that all remaining bits in the reconciled string were received correctly by Bob during the quantum transmission. 
If an uni-directional error correction protocol is used, then listening to the public channel during reconciliation does 
not give Eve any extra hints. The interactive error correction protocol, however, leaks some information to Eve about 
the position of bits which were received incorrectly by Bob during the quantum protocol. We will have to take this 
into account later on. There we take the view that Eve knows the positions of all errors exactly. 

A difference between correcting and discarding errors is that, naturally, discarding errors will lead to a shorter 
reconciled string of length rtj-cc < ?^sif, while the length of the key does not change during error correction so that 
nrcc — nsif. Common to all schemes is that Alice and Bob know the precise number of errors which occurred (provided 
the reconciliation worked). When they discard parts of the sifted key they can open up the discarded bits and learn 
thereby the actual number of errors (although in this case an additional problem of authentication arises), and when 
they correct errors Bob knows the number of bit-flips he performed during error correction. This is just the number 
of errors of the sifted key. 

Contrary to common belief it is therefore not necessary to sacrifice elements of the sifted key by public comparison 
to determine or estimate the number of occurred errors. 



C. Privacy amplification and tlie Sliannon information on final key 



In previous work it has been shown that for typical error rates in an experimental set-upthe eavesdropper could 
gain, on average, non-negligible amount of Shannon information on the reconciled key ^5 16 1. This means that we 
can not use it as a secret key right away. Classical coding theory shows a way to distill a final secret key from the 
reconciled key by the method of privacy amplification |Q. As a practical implementation of the hashing involved, the 
secret key is obtained by taking nfin parity bits of randomly chosen subsets of the nj-ec bits of the reconciled string. 
The choice of the random subsets is made only at that instance and changes for each repetition of the key growing 
protocol. This shortening of the key to enhance the security of the final key is common to all other approaches that 
deal with the security of quantum cryptography, for example by Mayers or Biham et al ||l^. However, it differs 
the way to determine the fraction r by which the key has to be shortened. In the case of individual eavesdropping 
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attacks we can go via the collision probability as described below Q]. When we consider joint or collective attacks 
it is not possible to take this approach due to correlation between the signals which possibly allows Eve to gain an 
advantage by delaying her measurement until she learns to know the specific parity bits entering the final key. 

In the first step we give the main formulas of privacy amplification and introduce the parameter Ti(e). This 
parameter indicates the fraction by which the key has to be shortened such that the expected eavesdropping information 
on the final key is less than 1 bit of Shannon information. It is given as a function of Eve's acquired collision 
probability. Any additional bit by which the key is shortened leads to an exponential decrease of that expected 
Shannon information. 

We denote by z the final key of length ngn, by x the reconciled key of length rirec and by y the accumulated 
knowledge of the eavesdropper due to her interaction with the signals and the overheard classical communication via 
the public channel. We keep separately the hash function g which, for example, describes the subsets whose parity 
bits form the final key. This hash function is part of Eve's knowledge in each realization. Eve's knowledge is expressed 
in a probability distribution p{z\g,y), that is the probability that z is the key given Eve's measurement results and 
side-information on the key. In a trivial extension of the starting equation of M we find that the Shannon information 
/, averaged over the hash functions, is bounded by 

I={i)g<ntin + \og{p'^{g,y))y^g (6) 

with the collision probability on the final key defined a.sp^{g,y) = ^^(■^If' y)- The collision probability {p^{g,y))g 
on the final key, averaged with respect to g, is bounded by the collision probability p^{y) — '^xP'^i^\v) '-'^ 
reconciled key as 

(p^(5,2/))3<2— (2"-p?(y) + l) . (7) 
This can be trivially extended to an inequality for {p^{g, y))y,g resulting in 

(p,(g,y)),,,<2— (2"-(p^(y)), + l) . (8) 

This allows us to give the estimate 

/<log(2"-(p^(y)), + l) (9) 

bounding the eavesdropper's expected Shannon information by her expected collision probability on the sifted key 
and the length of the final key. 

We can reformulate the estimate @ by introducing the fraction ti . If we shorten the reconciled key by this fraction 
then Eve's expected Shannon information is just one bit on the whole final key. Therefore we find 

n = i + — log(p^(y))y . (10) 

^rcc 

We introduce the security parameter ns as the number of bits by which the final key is shorter than prescribed by 
the fraction ti. This security parameter ns is implicitly defined by 

nRn = (1 - n) ?^rec " • (11) 

With the definitions of ti and ng we then find Q 

/ < log(2-"- + 1) « __ . (12) 

From this relation we see that the total amount of Eve's expected Shannon information on the final key decreases 
exponentially with the security parameter ns- The main part of this paper will be to estimate {p^{y))y for various 
scenarios as a function of the expected disturbance rate e to estimate ri and with that to estimate / as a function e. 



D. From expected quantities to specific quantities 

In the previous section we showed that once we know the expected disturbance rate e and the functional dependence 
of Ti(e), we can estimate the eavesdropper's Shannon information / on the final key in dependence of ns via equation 
( p^ ) . In this section we now show how to link the observed error rate to the expected error rate and how to estimate 
the entropy change Ag in a single run from the expected Shannon information /. 
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1. From the measured error rate to the expected error rate 



Alice and Bob establish a generalized sifted key of length nsu. During reconciliation of the sifted key Bob learns 
the actual number of errors rierr of unambiguous signals while he already knows the number no of ambiguous signals. 
Our definition of disturbance is here 

e= (13) 

^rcc 

with w p as adjustable weight parameter for ambiguous signals to be chosen in a suitable way. We will present in 
section IV G a model for which we can choose wd = 1/2. In the case of error correction we have to correct even the 
ambiguous signals to keep the number rigif fixed and to keep control about the disturbance. The reason is we need 
to formulate a measure of disturbance per element of the reconciliated key which is bounded. This is possible for 
correction of errors. In the case of discarding errors the number of errors and ambiguous results per remaining bit is 
unbounded and we fail to be able to give a bound on e from the measured values. 

Therefore we restrict ourselves to the case of corrected errors where we find the length rircc of the reconciled string 
to be equal to the length rigif of the generalized sifted key. In this situation the measured disturbance is given by 
Emoas — . Sincc Usif IS kept fixed the expected disturbance is given by e = (»crr+u'D"r>) ^ pj.Qj^ ^^le measured 

value emcas we estimate the average disturbance parameter e. 

To make the role of e clear it should be pointed out that any given eavesdropping strategy will lead to an expected 
error probability e while the actually caused and observed error rate can be much lower for an individual run of the 
protocol. For example, think of an intercept/resend protocol as in ]Tot where Eve has her lucky day and measures, 
by chance, all signals in the appropriate bases. This is not very likely, but the treatment presented here takes care of 
this possibility. 



In an application of a theorem by Hoeffding |17|, which has been used already in [|12[, we find an estimate of the 



number (riorr + wono) from the actually measured number ncrr + wd'^d for a total number of risif signals as 

(rierr + WdTId) < "-err + WDflD + "sif^ (14) 

with probability 

(1-ai) > l-exp(-2nsif52) (15) 

as long as wd < 1. For wjj > 1 we have to replace equation ( [l5| ) by (1 — ai) > 1 — exp(— 2!k^^), This means that 
we can give a bound on the expected disturbance parameter e from the observed quantities njj and riorr within a 



certain confidence limit. To give a numeric example we choose wd — 1/2 (see section [VG) and refer to the situation 
reported by Maraud and Townsend There an experiment is presented which can create a sifted key of length 
rigif = 1.4 X 10~^n from an exchange of n quantum signals at an error rate of 1.2% with a negligible amount of 
ambiguous signals. Then the choice oi 5 — 0.038 and a sampling with n = 10^ leads to a reconciled key of length 
TT-sif = 1-4 X 10'' with a value of ai ~ 10^^^. This is the probability that the expected disturbance parameter e in 
a typical realization of the key transfer is less than a maximal value of Cmax = 0.05. The value Cmax will be used in 
privacy amplification. An eye has to be kept on the sampling time. With the experiment described in it will take 
about 10 seconds to establish the sifted key. An example for smaller samples is the choice of n = 10^ and S = 0.4 which 
leads for the same system to a reconciled key of length rtgif — 140 and ai « 10~^^, Cmax = 0.412. The probability (32 
to fail to achieve a satisfactory level of confidence at this stage is in most cases negligible in comparison to the failure 
of reconciliation. It should be noted that these numbers give a rough guidance only, since the experiment does not 
use single-photon signals. 



2. Expected information and information in specific realization 

We still need to link the change of Shannon entropy A5 on the final key in an individual realization of the protocol 
with a given probability to the Shannon information /, that is over the average over many realizations. The key is 
thought of as unsafe if the eavesdropper achieves an entropy change bigger than Atoi in a specific realization. This 
happens at most with probability 02 which is bounded implicitly by / > a2Atoi leading to 

/ log(2-"^ + 1) 2-"^ 

"2 < -r — = T ~ -r 7-^ (16) 

Atoi Atoi Atoi m 2 

So the knowledge of an estimate for / and the prescription of an acceptable value of Atoi gives us the probability 
1 — a2 of secrecy of the key. 
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E. Authentication 



The tools of the previous sections aUow Ahce and Bob to construct a common secret key provided that their classical 
channel is faithful. Since channels with that property, as such, do not exist, we need to authenticate the procedure 
to make sure that Alice and Bob actually share the new key. Authentication can protect at the same time against 
errors which survived the reconciliation step and against an eavesdropping attack with a "separate world" approach. 

It is essential to make sure that Eve has no influence on the choice of bits entering the generalized sifted key 
exceeding the power to manipulate the quantum channel. The time-stamp step 3 in the protocol assures us that there 
is no point in Eve faking the public discussion up to that point since she gained no additional information about the 
signals so far, especially no information about the polarization basis. 

The following sequence of bases for the successful received signals sent from Alice and Bob does not need to 
be authenticated as well since Eve can not bar corresponding signals from the sifted key without knowing Bob's 
measurements as well. However, the message describing which bits finally form the generalized sifted key needs to be 
authenticated since Eve is now in the position to bar signals from the sifted key she shares with Alice by manipulation 
of the contents of the message p^ . 

The subsequent reconciliation protocol need not to be authenticated if we authenticate the final key. The reason 
for that is that the previous steps fixed the reconciled key as the generalized sifted key in Alice's version. If Eve 
tampers with the reconciliation protocol then Bob will fail correct his key so that it becomes equal to Alice's key. 
Authentication of the final key will therefore be sufficient to protect against tampering with the public channel in this 
step. It doubles at the same time to protect against incomplete reconciliation. 

To summarize, we need to authenticate the string identifying the elements of the sifted key within the received 
signals, the time stamp, and the final key. The length of this string is roughly m ~ 2nsif . The authentication is done 
in the following way which is based on the authentication procedure of Wegman and Carter : 

Alice chooses a hash- function of approximate length iVaut/2 = 4i logm and sends it encrypted to Bob. Both evaluate 
the hashed version of the message, the tag, of length t. Alice sends the tag via the public channel to Bob. If the tags 
coincide then this step is repeated with the role of Alice and Bob interchanged. With this symmetric scheme we make 
sure that neither Alice nor Bob can be coaxed into a position where they think that authentication succeeded when 
it in fact failed. The probability that Eve could fake the authentication is given by 

as = 2-*+i . (17) 

This is at the same time the probability that two distinct final keys lead to the same hashed key. Any remaining error 
in the final key will therefore lead with probability 1 — 03 to a failure of the authentication. 

IV. EXPECTED COLLISION PROBABILITY AND EXPECTED ERROR RATE 

This section represents the major input of physics to the quantum key growing protocol. The aim is to put an upper 
bound on the expected average collision probability Eve obtains on the reconciliated key as a function of an average 
disturbance rate her eavesdropping strategy infiicted on the signals. This is done for two methods of reconciliation, 
correcting or deleting errors. The result will allow us to give values for the parameter ti (e) . 

A. Collision probability on individual signal 

The collision probability on the reconciled key is defined by 

We assume that the signal sent by Alice are statistically independent of each other and Eve interacts with and performs 
measurements on each bit individually. Furthermore, we avoid side-information which correlates signals by the use 
of secret bits in the reconciliation step. Therefore the conditional probability function p{x\y) for x being the key 
given Eve's knowledge y factorises into a product of probabilities for each signal. With that the expected collision 
probability factorises as well into a product of the expected collision probability for each bit. We denote by the 
expected collision probability on one bit so that 
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Furthermore, we denote by the index a G {+, x} the two conjugate bases (e.g. horizontal or vertical polarization for 
single photons) used to encode the signals, by 4* € {0, 1} the logical values, and by k the possible outcomes of Eve's 
measurement. This leads to an expression of the expected collision probability, at this stage, as 



E 



We find for the parameter ri describing the shortening of the key during privacy amplification from eqn. ( |l0|) 

n = log(2p?) . (20) 



B. Eve's interaction and detection description 

The action of the eavesdropper can be described by a completely positive map |po| , pT| acting on the signal density 
matrices p as 

p = Y^A,pAl (21) 

k 

where we can associate this interaction with a measurement by Eve of a Probability Operator Measure (POM) formed 
by the operators Fk = Aj^A^. The operators Ak are arbitrary operators mapping the Hilbert space of the signals to an 
arbitrary Hilbert space. The only restriction is that J^k ^l^fe gives the identity operator of the signal Hilbert space. 
The probability for occurrence of outcome k is then given by p{k) = Tr(pFfc). The action of Bob's detectors can be 
described by a POM on the resulting Hilbert space after Eve's interaction. Since the detection POM elements and 
the signal density operators can be represented by real matrices, we can assume the operators Ak to be represented 
by real matrices as well. 

This does not limit the generality of the approach, since the outcome corresponding to an operator Ak = A™ + 

i^™, with real operators A'^^ and is triggered with probability Tt{pA]^^ A'^^) + Tr(pA™ ^™) ^^'^ the outcome 
probabilities for Bob's detection, corresponding to POM element F if outcome k of Eve's measurement is being 
triggered, is given by Tv^A'j? pA]^'' F) + Tt{A^^pA]^'' F). Since no cross-terms mixing A™ and A™ occur this means 
that using the two real operators A'j^ and A™, instead of Ak = A]^ + will not change the outcome probabilities 

of Bob's detectors but refines Eve's measurement. 

Two typical detection set-ups are shown in figure |l|. The active version consists of a polarization analyzer (two 
detectors monitoring each an output of a polarizing beam-splitter) and a phase shifter which effectively changes the 
polarization basis of the subsequent measurement. Here one has actively to choose the polarization basis of the 
measurement. The passive device uses two polarization analyzers, one for each basis, and uses a beam-splitter to split 
the incoming signal the two polarization analyzers are used with equal probability for detection. 
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a) 




fluctuations 



FIG. 1. (a) Active device: Bob's two detectors consist each of a polarizing beam splitter and an ideal detector. The 
polarizing beam splitter discriminates the two orthogonal linear polarized modes. Using a polarization shifter the polarization 
basis can be changed as desired. Detector efficiencies are modeled by a beam sphtter which represents the loss and which 
is thought of as being part of the eavesdropper's strategy. This beam splitter can be seen as part of the quantum channel. 
(b) Passive device: Here one uses two detection modules as presented in (a), one for each polarization basis. The central 
beam-splitter takes the task to "switch" between the two polarization analyzers. 



One can represent the detectors by beam-splitters combined with ideal detectors |2^. Then the beam-splitters 
can be thought to be responsible for the finite efficiency. Since all detectors are assumed to be equal, the losses of 
all detectors involved can be attributed to a single loss beam-splitter, which is then thought of as being part of the 
transmission channel rather than being part of the detection unit. 

We can use the idea of ideal detectors which measure each a POM with two elements, the projection operator onto 
the vacuum (no "click") and the projection on the Fock-subspaces with at least one photon ("click"). The POM of 
the active and the passive set-up then contains the elements -Fvac, -Fb+i ^Oxj ^ix' ^d- These are projections 
onto the vacuum, -FVac, onto states with at least one photon in one of the four signal polarizations and none in the 
others, therefore leading to an unambiguous result, and onto the rest of the Hilbert space, that is onto all states 
containing at least one photon in the signal polarization and at least one in an orthogonal mode Fd. The first POM 
outcome manifests itself in no detector click at all, the following four give precisely one detector click, and the last one 
gives rise to at least two detectors being triggered. If we denote by |n, m)a the state which has n photons in one mode 
and m photons in the orthogonal polarization mode with respect to the polarization basis a, use the abbreviation 
for the projector onto the vacuum and E^^^ for the projector onto the state with n photons in the polarization 
mode corresponding to ^E'q, then the POM of detection unit (a) is given by 

i^vac = (22) 



^ OO 



n=l 



= ^ ^ \n,m)+{n,m\ + ^ ^ |n,m)x(n,m|. 

n,m— 1 n,m— 1 

On the other hand, the passive detection scheme (b) is more susceptible to signals containing more than one photon. 
It is described by the POM 

Fvac = (23) 

oo / -, \ n 
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+ 2 XI + 2 X \n,m)x{n,m\. 

n,m=l ri,m=l 

The next idea concerns all detection set-ups where all elements of the POM commute with the projections En 
onto the subspaccs of total photon number n. In that case we find that Bob's measurement on the final signal gives 
outcome i G {vac, \E'a, -D} with probability 

PBob(i) := TvC^AkpAlFi) = Tr(^ ii;„^fep4E„Fi) 

k k,n 

We can now replace the set of A^s by the set An,k '■= EnA/- which still describes Eve measurement but for which each 
element maps the Hilbert space of the signals to a Hilbert space with a fixed photon number. Eve will now associate 
a POM clement of her mcasiircmcnt with each such An^k thereby refining her POM and leading to an increase of her 
knowledge. For short we write again Ak for this set, for which now the property is assumed that the signal arriving 
at Bob's detection unit is an eigenstate of the total photon number operator. We can divide the index set K oi k 
into subsets K^"'^ so that for each k e if the operator A^ maps the one-photon Hilbert space of the signal into the 
n-photon space. This is useful to distinguish contributions of signals with different photon number. 

We still have to discuss how to represent a delayed measurement in this picture. A delayed measurement is 
performed in the way that Eve brings an auxiliary system into contact with the signal so that they evolve together 
under a controlled unitary evolution. Then the signal is measured by Bob while Eve delays the measurement of 
her auxiliary system until she has received all classical information exchanged over the public channel. Having this 
knowledge, she picks the optimal measurement to be performed on her auxiliary system. Classical information useful 
to Eve is information that allows her to divide the signals into subsets which should experience different treatment. 
In our situation this information is represented by the polarization basis of the signal and, for bi-directional error 
correction, by the knowledge whether the signal was received correctly by Bob. We have therefore to assume, for 
example, that Eve's delayed measurement is characterized by the set of operators A), with k G K, giving rise to Eve's 
POM Fk = AkAl., and which arc applied to the signals from the set a = "+" and a second set Bk' with k' G K', 

resulting in the POM Fj^, = Bk'Bl,, which are applied to the signals from the set a = "x". Of course, these two sets 
of operators can not be chosen arbitrarily. The complete positive map has to be identical for all density matrices p, 
that is 

p = J2 AkpAl = J2 Bk'pBi . (24) 

keK k'eK' 

Moreover, this equality holds even for non-Hermitian matrices p. We can combine this result with the partition into 
n-photon subspaces. Then we find that even the stronger statement 

A^pA\= Bk^pBl- (25) 

kGKi") k'eK'(") 

holds. Before we go on to the derivation of the relation between average disturbance and average collision probability 
I would like to point out that this treatment takes into account the rich structure of modes supported by optical 
fibers and the fact that detectors monitor a multitude of modes. As long as the detection POM commutes with the 
projector onto the actually used signal mode, which is usually the case, we can separate the action of the Ak with 
respect to the photon number in a similar way. 



C. Separation into n-photon contributions 



In this section we are going to present the disturbance measure e and the collision probability as sums over 
contributions with different definite photon number n arriving at Bob's detector unit. We start from the definition of 
the disturbance e. To allow some comparison between correcting and discarding errors, we present a unified definition 
which defines, even for discarded errors, a disturbance measure per bit of the reconciled key. This definition is given 
by 
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e = • (26) 

''Tec 

Here Ucrv is the number of errors in the sifted key, njj is the number of ambiguous results occurring and n-^cc is the 
number of bits in the reconciled string. The weight parameter wu for ambiguous signals will be fixed later on. If we 
keep the size of the reconciled key fixed, then the expectation value of e is described by 

_ ^ Pcrr + WppD ^2^^ 
Picc 

where Pcir 7 Pn j Prec ai'e the absolute probabilities that a signal will, respectively, enter the sifted key as error, cause 
an ambiguous result, or become an element of the reconciled key. As mentioned before, it should be noted, that no 
estimate e from measured data can be easily presented in the case of discarded errors. We separate the contributions 
from the different photon number signals as 

(n) (n) (n) (n) 

^ Prcc Pcrr + W UPjj _ Prcc _(„) 



Prcc Par ~f Wppjj ^ Prcc _(„) ^^g) 

n ^''^^ Prcc „ -f^rec 



where we have implicitly defined 



(n) , (n) 

,(„) ^ +wnp'n (2g^ 

PvGC 

(n) 

as the n-photon contribution towards the disturbance measure. Now p-^ are the conditional probabilities that a signal 
has property X while being transfered as n-photon signal between Eve and Bob. The total disturbance is given as 
sum over the n-photon contribution weighted by the relative probability that a signal arriving as an n-photon signal 
at Bob's detector will enter the reconciled key. 

If we discard errors, then we find for the relevant probabilities (with 5* as the complement to binary value ^) 

pi-) = \ Tr(A-p*„44:0 ^30) 

P-=i E Tr(A-p*„44"j) (31) 
Pd'-\ E Tr(A,p>,„4F(r)) . (32) 



If we correct errors, then the probability for a signal to enter the reconciled key differs from equation ( plD and is, 
instead, given by 



Ptgc 



I Y: Tr {A,p^,AlFi1) (33) 
i Y Tr(A,AiFi 



(«) ^ 

4 



4 



The collision probability is split into contributions related to fixed photon numbers arriving at Bob's detector in the 
same manner as the disturbance measure to give 

00 (n) 

Pc = E — P^"^ (34) 

T Prcc 



with 

1 p^(^a,fca) 
^ „(") p(ka) 



pf'--- E 
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The basic idea is now to estimate the one-photon contributions to these quantities and then to choose in such a 
way that the optimal eavesdropping strategy wiU necessarily employ only one-photon signals. To achieve this we will 
use the fact that multi-photon signals lead unavoidably to ambiguous signals, that is p"£^ 7^ for n > 2 when using 
the passive detection option. 



D. The one-photon contribution for discarded errors 



We use the description of the general eavesdropping strategy to calculate the one-photon contributions. We find 
with the help of the identity F^^-* — ^/0*„ 



^ keKW 1 Tr 



1 jTr^ (B,,po.i?tpo.) +Tr2 (^B^'Pi^Slp,^) 



- T — 



and with the relation between prll and e'-^-' from eqn. (29), and p^?/ = pcrr + Prlc we find 



together with the quantities 



^rcc 



pill = (36) 
1 + ' 



I E {Tr(AfeP*„4p*„)} (37) 
1 Y: Tr (a,AI) . (38) 
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The equations (p5|-|38|) form the basis for the following calculations. To start with, we decrease the number of free 

parameters to a handful of real parameters, so that we can optimize Eve's strategy to give an upper bound on pc^"* 
as a function of e'^^^ To do so, we take a new look at the complete positive mapping (pl|). We define four vectors 
Aqo, Aio, Aqi, All with the components k G K'-^^ given by 

A%^^, = (vf+IAfcl*;) . (39) 

These vectors are formed by the transition amplitudes from the signal states to the one-photon detection states for 
each different measurement outcome. They effectively describe not only the complete channel between Alice and Bob 
but also the complete eavesdropping strategy. With these vectors we can simplify the notation of the expectation 
values introducing vector products 

E Tr (^Afep*_^4p*Y^ = A*_,5/A^^*/ = |A,5^*/|^ . 
Similarly we can define vectors Boo, Bio, Bqi, Bn and vectors Boo, Bio, Boi, Bn with elements for k' G K'^^') 

= (vf+ii?^!*;) (40) 

= (vI',|b;|vI/'J . (41) 
These vectors are not independent. They are related by the identities 
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Boo = 2 (Boo — Bio — Boi + Bn) (42) 
Boi — 2 (Boo — Bio + Boi — Bn) 
Bio = 2 (-^"0 -^10 ^ -^01 ^ ^ii) 
Bii = 2 (■'^oo + Bio + Boi + Bii) 

The advantage of this description is that the value of any scalar product of the vectors B^^ip' remains unchanged 
if the B,i,.^/'s are replaced by A^^,i,/'s since (p5|) guarantees that 



B^^ii,'B0_0/ — Aijf^^'A^^^' . (43) 



The idea is now to estimate and reformulate the equations (|35|-p8D in such a way that the new set of equations involve 
only the four vectors Aoo, Aio, Aqi, Ah and the quantities e*-^\Psif and prcl. As a first step we find from eqn. (^5|) 



P. 



1 (Bo^;)4 + (B^;)4 



-fc'eT^a) (^So)^ + (^i';) 



k'\2 ' 



while equation (p6|) remains unchanged 



The definitions of prec and e'"'^' simplify to 



P['l = 7^ ■ (45) 



1 + eW 



p« = i (lAooP + |Anp + IBooP + (46) 
Plif = \ (lAooP + |Anp + lAoip + |AioP) • (47) 



Next we use the Cauchy inequality as shown in appendix IaI to estimate pc by an expression involving only scalar 

— ^fi) 

products of the basic vectors. With use of the definition of prec this results in the expression 

(1) < 1 (48) 



P. 



1 (AooAii 



)2 1 (BooBii 



2 



4prcc |Aoop + |Aii|2 4prcc |Boop + |Bii|2 ■ 

We find that there are actually only a few real quantities left. These are |Aoo|, |Aii|, the angle 0jJ between Aoo and 
All, I Aoip + I Aiop, |Aoi + Aiop, Psif and, finally, e^^-* . The normalization factor p[]}c can be immediately eliminated. 
As shown in appendix ^ we can optimize p^c^ and find the result 



1 fore(i)>l/2 



To compare this result with other results we introduce the error rate e in the sifted key as e = (so that e*- -* — j-r^) 
and we find 

P^^ < '^'-'-'f ■ (50) 
' " 2(l-e)' 

This upper bound was given before in p^ , p^ for the case that Eve performed non-delayed measurements. Recently 
Slutsky et al. pq,P§l have found that this bound holds even for the delayed case. My formulation of that proof shows 
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that this bound is vahd not only for the one-photon contribution but can be extended to include the full Hilbert space 
of optical fibers and detectors accessible to Eve in real experiments. 

From p^ , |2^ , p^ we know that this bound is sharp since the eavesdropping strategy achieving this bound is given 
explicitly. It is a translucent attack. An important property of this bound is that for a disturbance rate of e*-^-* — \ 
(or error rate e = ^) the eavesdropping attempt is so successful that each bit of the sifted key originating from this 
part of the eavesdropping strategy is known with unit probability by Eve. 



E. The one-photon contribution for corrected errors 



If we correct errors without leaking knowledge about their position to the eavesdropper, then the one photon 
contribution to the collision probability is given by 



(Note that p 



(1) _ „(i) 

roc — P^^i ■ 



with 



(51) 



1 



E 



Tv\po^AiAk)+T?ipi^AiAk) 
Tr(4^fc) 



The disturbance parameter coincides with the error rate in the sifted key and is given by 

„(i) 

= ^ (52) 

Psif 



^(IBool 



PsSi-\{\ 



IBiiT 



lAoiP 



IBoil 



IBioP 



(53) 
(54) 



AooP 



|An 



IB 



00 1 



|Bii 



In appendix ^ I show that the collision probability in this case can be estimated by 



i + 3e(i)-5(eW)' for e^) < 1/4 
3 _ for 1/4 < e(i) < 1/2 

1 forl/2<e(i) 



(55) 



This estimate is not necessarily sharp, but it is good enough for practical purposes. It shows that ri = 1 for an 
error rate of e = 1/2, which corresponds to a strategy which intercepts and stores all signals while random signals are 
resent. By delaying the measurement of the signals Eve thus knows all signals while causing a disturbance of 1/2. 



F. One- photon contribution for corrected errors with leaked error positions 

If Alice and Bob use a bi-directional error correction scheme then Eve will gain some knowledge about the positions 
of the errors. She can therefore divide the signals into subsets characterized by Eve's measurement outcome fc, the 
polarization basis a of the signal and the correctness of the signal reception of Bob. We therefore need to introduce 
new operators ^, and 0%^,, to describe the eavesdropping strategy applied to incorrectly received signals. They are 
formed analogous to A\^,i and B^^, respectively. Then the one-photon contribution towards the collision probability 
is given by 
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o„(l) ^ ('R'="l2 I ^ 

, 1 {Gtif^(Cl,f ^^g^ 



+ - 



The disturbance e^^-*, psif and porr are defined as in eqns. ( Js^ ) to ( |5^ ) where we note that within scalar products hke 
equation (^3|) the vectors C (D) can be replaced by A (B). In appendix ^ I show that 

pa)<A + 2.a)-2(.«)^ for.«<l/2 
" - I 1 for 1/2 < ^ ' 

As it is the case if the error positions are not known to Eve, this estimate is not necessarily sharp. This is due to the 
use of the Cauchy inequality during the estimation. It shows a behavior analogous to that of equation ( |55| ) that for 
an error rate of e = 1/2 (and disturbance rate Z— 1/2) we find ti(1/2) = 1 which means that Eve knows the whole 
key. 



G. Multi-photon signals between Eve and Bob 

To deal with multi-photon signals we have to pick a detection model. We will concentrate here on the passive 
detection scheme to choose wd such that it is disadvantageous for Eve to use multi-photon signals. In my thesis ]2^ ] 
I have shown that even for active switching between two polarization analyzer with different polarization orientation 
one can show security against eavesdropping strategies employing multi-photon signals. 

The crucial observation for the passive detection unit is that sending multi-photon signals will invariably cause the 
outcome associated with Fjj to appear with a finite probability. This means that we can choose the weight factor 
Wd such that e'-"-' > e^^^ holds for n > 2. As a consequence the optimal eavesdropping strategy will employ only 
single- photon signals. The contribution of ambiguous signals to the disturbance parameter e*^"^ for discarded errors is 
bounded by a rough estimate obtained with help of eqn. ( |2^ ) by omission of suitable positive terms in the expression 
for Fd 

An) Tr(A,p*„4F,,) 

Ed_ ^ (60) 



> 



(i-2-«) 



> 1 



2-n 

The contribution of ambiguous signals to the disturbance parameter e*-"-* for corrected errors is bounded in the same 
way as 

An) Tr(A,p*„4F,,) 



fir/ iE...(")TrU.p*„44;) 



4 



2-"iE.eK(") Tr(Afcp*„44']) 
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One can find lower values of wd estimating the expression for e^"-' as a whole including the errors in the sifted key. 
However, the values found here serve our purposes well enough. 

For correcting and for discarding errors, we find that a disturbance parameter e — 1/2 means that Eve knows 

the whole key using one- photon signals. Therefore, if we choose wd = 5 wc obtain e*^"^ > wd^-^ > \ and e*-"-* > 



'"'-D^fe" ^ \ respectively and can bound the collision probability, taking into account the possibility of multi-photon 
signals, for discarded errors by 



< 



log (1 + 4e - 4e2) for e < 1 /2 



for 1/2 <e ' 



for corrected errors without leaked error position by 



log n + 6e - lOe^) for e < 1/4 
Ti(e) < { log (I + 2e - 2e2) for 1/4 < e < 1/2 
1 for 1/2 <e 



(62) 



(63) 



and for corrected errors with leaked error positions by 

Ti(e) < 



log(l + 4e-4e2) for e < 1/2 
1 for 1/2 <e ■ 



(64) 



The results for ri are shown in figure ^ and ^ respectively. It should be noted again, that the value of the disturbance 
parameter changes depending on the intention to correct the errors. For other detector models these results hold as 
well as long as we can show that for them the condition e*^"^ > 1/2 for n > 2 holds. This condition can be readily 

satisfied if p^Vprec > /i for some /i > and n > 2 by choosing wa = l/(2/i). For experiments with negligible numbers 
of ambiguous results we can approximate the disturbance e by a function of e = as the traditional error rate in 
the sifted key. In the case of discarding errors this approximation is e ^ t-^ while for corrected keys it is e « e. 
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FIG. 2. The fraction n has to be discarded during privacy amplification as a function of the disturbance per correctly 
received element of the generalized sifted key if errors are discarded. This result is a sharp estimate in the sense that Eve can 
reach the level of collision probability on which the estimate is based. 



18 



°0 OA 02 03 04 0.5 

disturbance parameter e 

FIG. 3. The fraction ri has to be discarded during privacy amphfication as a function of the disturbance per element of 
the generahzed sifted key if one corrects errors. If no information about the position of errors leaked to the eavesdropper, we 
find for Ti the dash-dotted curve, for leaked error positions we find the solid curve. 



Since we can not give an estimate for e from measured quantities the case of discarded errors, we concentrate on 
reconciliation methods which correct errors. From the results of this section we see that this is the better methods 
anyway, since discarding errors leads to a smaller n,-cc than correcting errors. This number would have to be reduced 
further during privacy amplification than in the case of corrected errors, as can be seen by comparison of the estimates 
for Ti as a function of e. Therefore the final key will be shorter and with that the protocol less efficient. 

From the estimates we find that the direct estimate for ti gives higher values if the information about error positions 
has not leaked to the eavesdropper during reconciliation. We can regard the information of error positions as spoiling 
information and thus use the estimate (64) even in the case of uni-lateral error correction. Spoiling information 
is any information which increases Eve's Shannon information but decreases her expected collision probability on the 
key leading to a decreased value of ti . We conclude that from the point of privacy amplification and reconciliation, 
the best known way to give a high rate of secure bits would be to use bi-lateral reconciliation methods. 



V. ANALYSIS OF THE EFFICIENCY OF KEY GROWING 



The process of quantum key growing depends on physical parameters and on the security parameters of the final 
key. In this section we will bring together the essential formulas about the security statements concerning an accepted 
key and about the average key growing rate we can expect. This analysis is presented only for error correction 
reconciliation methods. 



A. Security needs 

The first thing a potential user has to fix is the tolerated change of Shannon entropy Atoi an eavesdropper might 
obtain on the key without posing a security hazard to the application in mind. Since this limit can not be guaran- 
teed with absolute certainty, the user has to limit the tolerated probability atoi that Eve's knowledge exceeds Atoi. 
Authentication may fail to detect errors leaving Alice and Bob with a key neither safe nor shared. The tolerated 
probability for this has to be specified as 7toi. 

Given /toi, atoi and 7toi and having in view a particular physical implementation of the quantum channel, Alice 
and Bob fix a value of the tolerated disturbance Cmax and of the security bits ns used in privacy amplification, as 
well as the length risif of the sifted key and the number of secure bits A'aut used for authentication such that for an 
accepted key the security target set by /toi, atoi and 7toi is met and that the rate of secure bits generated, given below, 
is optimized. 



B. Security statement 



The following security statement holds if the key growing is performed by extracting a key of length 
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nfin = «sif [1 - n(emax)] - (65) 

from the reconciled key during privacy amplification. Here ti is given by by the functional dependence of equations 
( |63| ) and ( |6^ respectively. From the previous calculations we find that the bits generated in a run of the key growing 
process are secure in the sense that Eve achieves a change of Shannon entropy on the accepted key of less than Atoi 
with probability a. The contributions to a are the probability of failure of the estimation of the average disturbance 
given by ai in equation (p^), the probability to estimate the Shannon information in a specific run from the average 
information, given by a2 in equation ( p^ ) and the probability of faked authentication, given by as in equation (p^). 
Since all those quantities are expected to be small, the estimate 



a < ai + a2 + as (66) 
= exp(-2nsif(5^) 



.2^ , ln(2""^ + l) , 



exp(-2nsit(5^) 



Atoi 

2-ns 



Atoi In 2 



with S = Emax " fmcas is Sufficient for practical purposes. 

The failure to establish a key in a specific run is due to the failure of authentication. Here two contributions can be 
distinguished. One is the failure of reconciliation, which happens with probability (3i, the other is the failure to reach 
the target of atoi in that run, which is signaled by making the authentication fail. This happens with a probability 
^2- In the design of the set-up and the choice of parameters we would need to estimate /3 so that at least in the 
absence of an eavesdropper we will find a net gain of secure bits according to the formula given below. Miscalculation 
of f3 does not affect the security of the key, it only affects the efficiency of key generation. We omit therefore detailed 
examinations of values for /3. 

The last quantity concerning the security of the key is 7, which is the probability that authentication succeeds 
although Alice and Bob do not share a key. This probability can be estimated by 7 = 2^^='"'+-'^. 



C. Gain 



In the previous subsection we described the influence of the chosen basic parameters on the acceptance and security of 
a run of key growing. Since we need secret bits as an input for the key generation we have to make sure that on average 
we will gain more secret bits than we put in. The important quantities are here the success probability Psucc = 1-/3 
that a run of the key expansion leads to accepted new secure bits, the number iVout — ?^rcc [1 — ti (cmax)] — ns of secret 
bits gained in that instance and the average number N-m = A^rec + Aaut of input secret bits. Then the condition for 
an overall gain on average is to have a positive value of iVgain = Psucc-Aout — A^in resulting in 

^gain = (1 - /3) {risif [1 - Ti (e„iax)] " ng} (67) 
-A^aut - Arec . 

To explore the implications of this condition we go to the limit of large sample sizes. Then we can neglect the number 
of secret bits used for authentication and and the safety parameter ns- The remaining contribution of A'in now comes 
from the error correction part. For ideal error correction we can set P = and can use the Shannon limit which gives 
A^in = «sif(l — ^AB(emeas)) with the Shannon information shared between Alice and Bob given by 

I AB (f^mcas) ^ (68) 
1 + Cmoas logemoas + (1 " Cmoas) log(l - emoas) ■ 

With these preparations we find 

Again = '^sif [1 — '''l(emcas)] — '^sif(l — I AB {(■mcs.s)) ■ 

In the limit of rtgif — + oo we can assume that 6 still satisfies any confidence limits put on a. Therefore the 
condition Again > is now equivalent to 

i"yis(emcas) > Ti(enieas) ■ (69) 

As we see from figure I this means that the protocol in the presented form will be able to grow secret keys only 
for set-ups operating at an error rate of less than 11.5% for error correction. However, making use of the concept 
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of spoiling information and of improved estimates of Pc might result in lower estimates for ti. A lower bound is, 
however, the Shannon information 1^^ shared by Alice and Eve in this scenario. Fuchs et al. give in [ p^ a sharp 
bound for Iae, which is shown in figure ^ as dotted line. The difference between ti and Iae represent the average 
gain G in a run of the key growing protocol in the limit of ideal error correction and infinite sample sizes. The gain 

G = /As(eincas) — n(emcas) (70) 

gives the length of the final key as a fraction of the generalized sifted key. 




0.1 0.2 0.3 0.4 0.5 



error rate e on sifted key 

FIG. 4. Shortening during privacy amplification, represented by ri (uni-lateral scenario in dash-dotted curve, bi-lateral 
scenario as solid curve), in balance with the loss during reconciliation, represented by Iab (falling solid line). The intersections 
between two lines limits the tolerable error rate in the generalized sifted key in the case of corrected errors. A lower limit of 
potentially improved bounds for n is Iae (dotted line). 



VI. CONCLUDING REMARKS 



In this paper I have given estimates needed in quantum cryptography which are closely oriented towards practical 
experiments. I do not deal with security against all possible attacks in quantum mechanics, but I deal with all attacks 
on individual signals. This allows me to include issues related to practical implementation of quantum cryptography 
which still can not be treated in the general scenario. One of these issues is the question of signals which, for example, 
triggered simultaneously two detectors monitoring orthogonal polarization modes. (This is the question of multi- 
photon signals resent by Eve, leading to ambiguous signals.) The other important question is that of an efficient key 
reconciliation prior to privacy amplification. As seen in this paper it is possible to use the efhcient bi-lateral error 



correction scheme of Brassard and Salvail |14| without compromising security. 

In the statistical analysis I showed that it is possible to limit in this scenario the knowledge of the eavesdropper 
on the final key in a individual realization from measured quantities for parameters which seem to be reachable in 
experiments. As measure of the eavesdropper's knowledge I used the change between a-priori and a-posteriori Shannon 
entropy associated with the corresponding probability distributions over all possible keys from Eve's point of view. 
One has to take into account that single photon signals states are not used in today's experiments. However, this 
theory can be extended to signal states containing multi-photon components. A first approach for that is to estimate 
= 1 for each bit of the reconciled key on which Eve could have performed successfully a splitting operation with 
subsequent delayed measurement. Denote by the total number of these bits, then we need to reduce the key 
during privacy amplification by 

^(muit) (-) ^ ^ ^ JhA fe ""'"^ \ . (71) 

^rcc \ ^rcc / \ ^rcc / 

The statistics, however, becomes more complicated this way and it seems to be better to include the dim coherent 
states directly as signal states and to solve the problem in a clean way. Work in that direction is currently under 
progress. 

The estimates for ti are not necessarily sharp in the case of error correction, and even in the case of discarding 
errors this limit could be lowered using spoiling information |7j. However, the possible improvement of efficiency of 
the key growing process is limited and this fine-tuning might be postponed until the experimental relevant situation 
for dim coherent signal states is solved. 
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APPENDIX A: CAUCHY INEQUALITY 

In this appendix we prove the inequality ( p8| ) starting from the expression 



pill {B'oof + {Bl[Y 



We rewrite the first sum as 



k \ 

and use the Cauchy inequality, given as 



^Y.-^y') ^ (e-i) (T.yl] (^3) 

^fc / \ k J \ k I 



j:4>^^^ (A4) 

I. 2^k Vk ■ 



We set Xk = ^ and yt = \/(^oo)^ + (^n)^ to obtain the inequality 



l.((^o) +(Ar)) + 



This can be used to estimate the first part in (Al) while the second part can be estimated similarly so that, with the 
help of eqn. (^) , we find the result 

pi'' < 1 (A6) 



1 (AqqAh)' ] 

'4prec |Aoo|2 + |Aii|2 4proc |BooP + |Bii|2 
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APPENDIX B: MAXIMIZING P^^^ FOR DISCARDED ERRORS 

To optimize the expression ( ^ ) we first note that we can assume that |Aoo| — |Aii|. If Eve starts with a strategy 
defined by operators Ak not satisfying this condition, then she could use the A-operators — ( ^ ^] A, ^ ^ 



^1 y \^ 1 

without a change in the obtained collision probability or disturbance. When we combine the two strategies we find that 
the resulting vectors satisfy |Aoo| — |Aii| and |Aoi| — |Aio|. This then gives the estimate |Aoi + Aiop < 4|Aoip. 
Another observation is that we can always choose |Aoo| + |Aii| > |Boo| + |Bii| which means that there are less or 
equal errors in the sifted key coming from the use of the polarization basis '+' than from the basis 'x'. This can be 
always satisfied, since both polarization basis could be interchanged. Using |Aoo| = |Aii| and the definition of |Boo| 
and |Bii| this results in 2|AooP(l — cos(/)JJ) > |Aoi + AiQp with the angle (/)gg between Aqo and An. 

The three relevant relations now become after elimination of pill according to ( |3^ and the use of the relations (|4 

2 

(Bl) 



(1) . , (l + eW)|Aoop(cos(/>ii)2 _ (1 + eW) (2|Aoop(l + coscj^l',) - [Api + Aipp) 



32ftif (2|AooP(l + cos 011) + |Aoi + AioP) 



^^^1^ = 1 (|Aoo|'(3 + cos 0ji) + i|Aoi + Aiol^) (B2) 
ftif-i(|Aoo|' + |Aoi|2) (B3) 

Our next step is to show that we can estimate the optimal value of pc^-* by replacing |Aoi + Aiop by 4|Aoip. To see 
that we observe that this would allow to decrease (1 + 6^1-*) by eqn (B2), meaning a lower error rate. At the same 

time pi^^ grows indirectly from the falling value of (1 + e^i-*) and directly, since ^Pc^' > with D := |Aoi + Aiop. 
To prove the last point we calculate 

A^(i) . (1+^^^^)-^ (B4) 

dD ^ 32ftif(2|AooP+i? + 2|AooP cos 

A = 12|Aoo|^ - 4|Aoopi? - + 24|Aoo|*cos0iJ - 4 1 Aqo pi? cos (/.J J + 12|Aoo|^(cos(/)JJ)2 . (B5) 
This is positive, if A is positive. This is, indeed, the case since 

■^A = -4| AooP -2D- 4| AooP cos < (B6) 

allows us to evaluate A at the maximal value of Dmax = 2|AooP(l — cos(/)JJ) where it gives zero. This proves that 
^ > and with that ■jf^p'^P > 0. Therefore, three relevant equations become 



^ (l + 6(^))|Aoop(cos0ii)^ _ (l + 6W)(|Aoop(l + cos0;;)-2|Aoip)^ 

- Spsif 16p,if (|AooP(l + cos0ii) + 2|AoiP) ^ ' 

= 1 (|AooP(3 + COS01J) + 2|Aoip) (B8) 

ftif = i(|AooP + |Aoip) (B9) 



We solve ( |B8| ) and (B9) for |Aoi| and cos^JJ and insert these into (B7). The maximum over |Aoo| is then taken and 
we find 

pi'^<^(^l + 4e(i)-4(e(i))'^ . (BIO) 
The strategy resulting in this collision probability is described by 



lAooP = 


|AnP = 


2j3sif 

l + e(i) 


(Bll) 


lAoiP = 


|AioP = 


2psite(') 
l + e« 


(B12) 


cos ^ 


1 - 2e(i) 




(B13) 


COS = 


1 . 




(B14) 
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In the derivation we have chosen 2|AooP(l — cos (/>JJ) > |Aoi + AioP and find the optimal solution respects this choice 
for e'-^-' < i. For e^^^ = ^ we find pc^'' = 1 so that we conclude that 

1 1 for e(i) > 1/2 



APPENDIX C: MAXIMIZING P^^'' FOR CORRECTED ERRORS 



We start from equation and use the Cauchy inequality in a similar way as in appendix M. We obtain the bound 



Pc 



«<1 



(AqqAio)^ + (AqqAii)^ + (AoiAio)^ + (ApiAn)^ 
|Aoo|' + |Aoi|' + |Aio|' + |An|' 



(CI) 



(^BqoBio^ + ^BooBii^ + ^BoiBio^ 



2 / _ . \ 2 

BoiBii 







2 




to 




to 






( 


Boo 


+ 


Bqi 


+ 


Bio 


+ 


Bii 





Next we introduce the angles ipQQ, (Pqq, (PqI between the corresponding vectors Aoo, Aio, Aoi, An, make use of the 
relations (^2|) and (|4^) , use the symmetry argument as in appendix ^ and find after some transformation the set of 
equations 



(C2) 



IAqoI^ (1 - 3 cos^ ^11) + lAoil" (1 - 3cos^ 



+ |Aoo|'|Aoi|' 



8(|Aoo| 

3 + cos ifll cos — 2 cos^ (pIq 
4(|Aoo|' + |Aoi|')2 



-(1) ^ |Aoo|^ (1 - cosifll) + |Aoi|^ (3 - cosipl'i) 
4(|Aoo|' + |Aoi|') 



(C3) 



The first observation is that it is optimal to choose cos(^qq — since this choice optimizes pi^"* while it leaves e*-^-* 
unchanged. The second observation is that the choice of 

I Aoo I ^ cos ipll = \Aoif cos ifll (C4) 

within the subspace defined by 

I Aoo I ^ cos (^oJ + I Aoi I ^ cos (pl° = const 
and fixed values of |Aoo| and |Aoi| is optimal if this choice is possible. In this case we are left with the equations 



pi'' < ? 



^ lAoor (1 - 4cos^ ifll) + lAoir + 6 [Apor lAoir 
8(|Aoo|' + |Aoi|')2 

|Aoo|'(l-2cosy>ii) + 3|Aoi|' 
4(|Aoo|' + |Aoi|') 



(C5) 



(C6) 



At the end of a short maximization calculation we find a solution consistent with symmetry condition (C4) for 
i < e^^^ < ^. It is given by 

3 / ,-,n2 



(C7) 
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This maximum is obtained by choosing the values cos ipqq 

10 _ l-2e(i' 



2(l-e(i)) 



and I An 



The symmetry 



condition (C4) then gives cos(y5j]' = ^-^o-) which Umits the range of vahdity to |; < e^^K For j > e^^-* we find the 
optimal solution by selecting cosi/Jq" = 1. A short maximization calculation then gives the bound 



,(!)< 1+3^(1) _ 5 f^(i)^' 



■(1) 



(C8) 



for the choice of parameters cos(^Jq = |Aoi| = |A( 



00 I 



APPENDIX D: MAXIMIZING P^^P FOR CORRECTED ERRORS WITH LEAKED ERROR POSITIONS 



We apply Cauchy inequalities to equation (|5^) and use the vector notations A, B, C, and D to find 



(Dl) 



1 




AooAii 




1 




CoiCio 


2 




|A 


ooP + l^ 




4psif 


|C 


oiP + |C 




1 




BooBii 


2 


1 




DoiDio 


2 



4psif |BooP + |BnP 4psif |Doi|2 + |DioP 

ft becomes clear immediately that we can replace C by A and D by B because of relations similar to (H^)- Similar 
to the calculations in appendices ^ and ^ we introduce the angles (fH, (/Sqq, an d use the relations ( [42| ) and ( |4^ ) 
and the symmetry argument introduced in appendix M to find the new form of (Dl) as 



^(1) ^ 3 _ lApopcos^ ifll + lApipcos'^ ifill 



4(|Ao 



lAoiP) 



(D2) 



lAooPlAoip 



2(|Ao 



lAoiP) 



(1 + cos^JJ)(l+cos^iO) 



I Aoo p ( 1 + COS V3 1 1 ) + I Ao 1 1 2 ( 1 + COS ) 



(1 -C0S(/7i^J)(l 



|AooP(l - cos^ll) + |Aoi|2(l - cosv^i?) 
while we take from appendix ^ the expression for e^^^ as 

-(1) _ |Aoop (1 - cosifll) + lApip (3 - cos ifll) 



4(|Ao 



lAoiD 



(D3) 



We next perform a variation along the path defined by |AooP cost^jJJ + |Aoi P cos (/sj^ = const and find that pc^-* 
is optimized for the choice cos (fiH = cos (/sJJ ■ An optimization calculation for the remaining parameters leads to the 
estimate 



,(1) < 



2e(i) - 2 



(D4) 



for a disturbance e*^^) < 1/2. This optimum is obtained by choosing cos(poo — 1 ~ 26'""^^ and |Aoo| = |A, 



on 



'i_j(i) 
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